[[!meta title="Blackhat 2011 DC: De-Anonymizing Live CDs"]]

During the [2011 DC
edition](http://www.blackhat.com/html/bh-dc-11/bh-dc-11-home.html) of the
Blackhat conference, [Andrew
Case](http://www.blackhat.com/html/bh-dc-11/bh-dc-11-speaker_bios.html#Case) did a
presentation about his research on [de-anonymization of Live
CDs](http://www.blackhat.com/html/bh-dc-11/bh-dc-11-briefings.html#Case) through
forensics techniques applied to the system memory content, which mostly
concerned T(A)ILS itself. Some parts of it were also talking about memory
analysis of Tor itself.

* Slides can be found
[here](https://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing%20Live%20CDs-Slides.pdf)
* Full paper can be found
[here](https://media.blackhat.com/bh-dc-11/Case/BlackHat_DC_2011_Case_De-Anonymizing_Live_CDs-wp.pdf)

The disclosure of this attack leads to a better implementation of the
smem feature in Tails, using kexec to ensure every non-kernel bit of
the memory is wiped; this new implementation is shipped in Tails 0.7
and later. Implementation of automatic memory wiping [[when the live
media is removed|todo/erase_memory_when_the_USB_stick_is_removed]],
also shipped as of Tails 0.7, also helps defeating it, at least in the
case this attack takes place when someone's home is raided.
